My Hash Is My Passport Understanding Web and Mobile Authentication
Total Page:16
File Type:pdf, Size:1020Kb
My Hash Is My Passport Understanding Web and Mobile Authentication ShmooCon - January 17, 2016 David Schuetz Senior Consultant, NCC Group @DarthNull Introduction 2 Agenda • Background • Definitions and Goals • Commonly Used Authentication Systems • Other Systems • Overall Evaluation • Response Builder Tool • Conclusion 3 Background 4 Background • You enter your password in a web application. • What happens next? 5 Authentication Happens • The server decides whether you are you • How does your password get to the server? • “That Depends” • Many different methods in use today • Close look at the five most common ones 6 Why do we care? • There’s a right way, and a wrong way • Explain the systems to three different audiences: • Testers: need to understand to evaluate the app • Risk acceptors: need to understand test reports • Developers: need to implement it properly • Also, nice for users to get a peek behind the scenes 7 Definitions and Goals 8 Definitions and Such • Authentication vs Identification vs Authorization • Focus is on what the client application does • Sometimes it actually is Authentication • Sometimes it’s technically Authorization • We’ll just call it all Authentication for now 9 Focus • Looking at authentication “protocol” or system • Strictly how it’s “supposed to work” • Assuming client and server are legit • Not hacked • Not a phishing site • Not a formal security analysis • Almost all of these have had some issues • What can an attacker do? 10 Real World Authentication • Your friend Tim walks up and says “Hi.” • You look at him, say “Hi,” and begin talking. • That was easy!! 11 How’d that work? • Someone simply recognizes you • (or compares your face to a trusted ID) • It’s hard to spoof that appearance • Especially if you factor in other cues • Anyone can watch, without weakening security 12 Not as easy in “Cyberspace” • Server doesn’t have years of personal experience • Or brains evolved for facial and behavioral recognition • So it relies on some kind of “factor.” • Usually a proof of knowledge that only the user has • Like a password 13 The Crux of the Problem • How do you securely show that password to the server? • In real life, you wouldn’t shout it out… You’d whisper. • On the network, you hide it with encryption 14 It’s a series of tubes Internet Tim’s Password Client “Enchanter” Server Encrypted TLS connection 15 (Hopefully, opaque tubes) Internet Tim’s Password Client “Enchanter” Server Encrypted TLS connection Evil Hacker 16 “We’re safe — we use TLS!” • 2011: Certificate Authority DigiNotar hacked • Fake certificates issued • 2011: iOS “Basic Constraints” bug • Real certs can sign fake certs • 2012: Trustwave issues globally trusted wildcard cert • 2014: Heartbleed bug - can expose private keys • 2015: Superfish Adware • Self-signed certs on Lenovo laptops can MITM anything • ? - present: Self-trusted Corporate DLP Proxies 17 Attack Surfaces • Login • When the user first connects to a service • Session • Continuous authentication • While using the application • Restart (login again) • “Remember me” functionality • After application has been unused for a time 18 Attacks - Stealing Credentials • Network: Disable TLS • Transit: Server, server network • Use: Server or client • Target application software • Intercept keystrokes, search memory • Storage: Server or client • Server - steal and crack passwords • Client - steal locally stored passwords and tokens • Client - steal improperly cached credentials 19 Session Tokens • Could send your password with every request… • …or could send a special code that only lasts a day Request Session Token Client GET cat.gif XYZZY314 Server 20 Token Compromise • If an attacker can steal the session token • Break encryption, attack server, attack client • They can make requests while pretending to be you Client GET cat.gif XYZZY314 Server Hacker XFER $$$$$ XYZZY314 Server 21 Make the Tokens Expire Faster • Using a “Nonce” - random string - tied to the token • If the nonce is repeated, server refuses request Unique Nonce Client GET cat.gif 784Q XYZZY314 Server XFER $$$$$ 784Q XYZZY314 Hacker Server “BZZZT!” ! 22 Nonces and Timestamps and Sigs • Server tracks all the used nonces • Token has to be cryptographically tied to nonce • Otherwise hacker could just change the nonce • Include timestamps - server can discard old nonces • Still doesn’t cover all attacks, but enough for now 23 Commonly Used Systems 24 Commonly Used Systems • Dozens of “mainstream” systems available today • Only a few in common use • Will describe five in detail: • Password or “Basic” • Digest • NTLM • OAuth 1 • OAuth 2 • Basic, Digest, and NTLM generally built into browsers 25 Authorization: Basic 26 Authorization: Basic • Simply send your userid and password to the server 27 Assessment: Basic • Good: • Simplest method • Can use built-in browser form • Trigger with “WWW-Authenticate:” header • Or use HTML or Javascript form within a page • Bad: • Perfectly fine… IF you trust TLS • Use for sessions increases disclosure risk • (also, don’t ever put it in the URL…even hashed) 28 Authorization: Digest 29 Authorization: Digest • More complicated • Server sends unique parameters • Client combines these with the user’s password • Creates token that’s uniquely tied to the nonce • The password is never sent over the network • Optionally includes a signature of the request 30 Authentication Flow • Client requests a resource • Server replies “Authenticate with Digest, please” • Provides realm, nonce, algorithm choice, QOP • Client builds response, based on: • Server data, client data, user credentials request digest data settings data signature request 31 Computing Response MD5 • Server nonce: random string MD5 • Client nonce: random string userid realm password • Client counter: number server nonce • QOP: Quality of Protection • “auth” or “auth-int” client counter • Server selects algorithm client nonce • MD5 qop • All are strings (hashes in hex) MD5 Joined with “:” • HTTP method path 32 Server challenge WWW-Authenticate: Digest nonce=“1450807853.38:E10B: 497c0eadca9e962b45e54cd2629399b3", realm="caerbannog", algorithm="MD5", opaque="ADAC33E813C0CE930F4744C90E02396E", qop="auth", stale="false" 33 Hashes and Nonces MD5('tim:caerbannog:Enchanter') = 005a400eaf17492454011ddeb50c4a60 MD5('GET:/') = 71998c64aea37ae77020c49c00f73fa8 MD5(‘005a400eaf17492454011ddeb50c4a60: 1450807853.38:E10B: 497c0eadca9e962b45e54cd2629399b3: 00000002:9cf9d4679b7d83fb:auth: 71998c64aea37ae77020c49c00f73fa8') = df529127ed79076430be29b897622ae5 34 Complete Response Authorization: Digest username="tim", nonce=“1450807853.38:E10B: 497c0eadca9e962b45e54cd2629399b3", realm=“caerbannog", algorithm=MD5, qop=auth, uri="/", response="df529127ed79076430be29b897622ae5”, opaque="ADAC33E813C0CE930F4744C90E02396E", nc=00000002, cnonce="9cf9d4679b7d83fb" 35 Assessment: Digest • Not as frequently used for session credentials • Good: • Client / sever nonce help prevent replay attacks • Password not sent over the network • QOP auth-int detects modification of request • Bad: • Relies on MD5(username:realm:password) • Hash compromise allows immediate account access • Completed response may be vulnerable to brute-force • Uncertain support for auth-int 36 NTLM 37 NTLM • Windows NT LAN Manager authentication • Proprietary, not very well publicly documented • Binary protocol, very complicated request NTLM? Sure! Challenge Response 38 Type 1 - Client Begins • Server requests NTLM • Client responds with “Type 1” message HTTP/1.1 401 Unauthorized WWW-Authenticate: NTLM Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= 4e54 4c4d 5353 5000 0100 0000 0782 0800 NTLMSSP......... 0000 0000 0000 0000 0000 0000 0000 0000 ................ 39 Type 2 - Server Challenge • Server responds with challenge WWW-Authenticate: NTLM [long base64 string] 4e54 4c4d 5353 5000 0200 0000 1000 1000 NTLMSSP......... 3000 0000 0102 8100 6e64 fc33 bb92 a567 0.......nd.3...g 0000 0000 0000 0000 8000 8000Server 4000Challenge 0000 ............@... 6d00 7900 7400 6100 7200 6700 6500 7400 m.y.t.a.r.g.e.t. 0200 0000 0100 1400 6d00 7900 6300 6f00 ........m.y.c.o. 6d00 7000 7500 7400 6500 7200 0400 2800 m.p.u.t.e.r...(. 6d00 7900 6400 6f00 6d00 6100 6900 6e00 m.y.d.o.m.a.i.n. 2e00 6500 7800 6100 6d00 7000 6c00 6500 ..e.x.a.m.p.l.e. 2e00 6300 6f00 6d00 0300 2c00 6d00 7900 ..c.o.m...,.m.y. 6300 6f00 6d00 7000 7500 7400 6500 7200 c.o.m.p.u.t.e.r. 2e00 6500 7800 6100 6d00 7000 6c00 6500 ..e.x.a.m.p.l.e. 2e00 6300 6f00 6d00 0000 0000 0000 0000 ..c.o.m......... Target Block 40 Response - NTLMv1 • Calculate NTLM hash of user’s password • Pad with 5 bytes of zeroes to make 21 bytes • Convert to 3 DES keys, 64-bits each • Spread bits out in 7-bit blocks • Add parity bits in between and at end • Read back as 8-byte, 64 bit key (x3) • Encrypt the challenge with each key in turn • Append all the results into one long response • Repeat with LM hash 41 Building DES Keys MD4(UTF-16(“Enchanter”)) = 52dac53d34d998ee55b1137d647e93ce Hash: 5 2 d a c 5 Binary: 0101 0010 1101 1010 1100 0101 ... Spread: 0101 001x 0110 110x 1011 000x 101 ... Parity: xxxx xxx0 xxxx xxx1 xxxx xxx0 .... Keys: 5 2 d 6 b 0 .... Final keys: 526db0a7d3a76731, ef2a6d2337ea91fd, 92e6800101010101 Key 1 Challenge DES MD4 password Key 2 Challenge DES padding Re-arrange Bits Key 3 Challenge DES 42 Encrypting Response Server challenge: 6e64fc33bb92a567 key1 = 526db0a7d3a76731, c1 = 8f86b036e38ac5b8 key2 = ef2a6d2337ea91fd, c2 = f5913b338af9912e key3 = 92e6800101010101, c3 = e3037866d94f62d7 NTLM V1 response: 8f86b036e38ac5b8f5913b338af9912ee3037866d94f62d7